Setup A KDC Server

General Information

Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.

The second part is setting up a KDC client with local accounts as well.

Lab Setup

The following virtual machines will be used:

  • ( → Kerberos Client
  • ( → Kerberos KDC


  • Fully qualified domain names are required
    • Setup /etc/hosts with IP addresses and FQDNs
  • This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)

Kerberos KDC: Install Packages

Install main packages required

yum install krb5-server krb5-workstation pam_krb5

Kerberos KDC: Configure the Server

KDC Config: Replace domain with desired domain

vim /var/kerberos/krb5kdc/kdc.conf

Kadmin ACL: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain

vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@MYDOMAIN.COM  *

KRB5 Client Config: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain

vim /etc/krb5.conf
default_realm = MYDOMAIN.COM
  kdc =
  admin_server =
[domain_realm] = MYDOMAIN.COM = MYDOMAIN.COM

Kerberos KDC: Create the KDC Database and Start

Create the Kerberos database

kdb5_util -r MYDOMAIN.COM create -s
  • -r → realm name
  • create -s → Create database with stash file for master database key
  • You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.

Enable and start the services

systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc

Kerberos KDC: Create Principals for Users and Hosts

Open the Kerberos admin tool


Add the principal for root/admin

addprinc root/admin
  • Enter a new password for root/admin

Add a user principal

addprinc user1
  • Prompted for a new password for user1

Add hostname of the KDC server so the kerberos database knows about the server it is installed on

addprinc -randkey host/

Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands

ktadd host/

Exit the Kerberos admin tool


Kerberos KDC: Setup OS Components for Testing

Configure SSH

vim /etc/ssh/sshd_config
GSSAPIAuthentication yes

Reload the SSHD config

systemctl reload sshd

Configure PAM authentication (authconfig) to enable krb5

authconfig --enablekrb5 --update

Copy the built in kerberos xml file to the over ride location

cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml

Edit the kerberos.xml file and add the kadmin port

  <port protocol="tcp" port="749"/>
  • The built in kerberos service does NOT include tcp/749 (kadmin)
  • If you don't remember the port, check ss or netstat for listening kadmin services
    ss -antp | grep kadmin
    netstat -antp | grep kadmin

Open up firewall ports

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload

Kerberos KDC: Test the KDC Server

Add a user account

useradd user1

Switch to that user

su - user1

Initialize Kerberos authentication

  • Prompted for user1 principal password created earlier

SSH to the fully qualified name of the local system


Kerberos Client: Package Install

Install the required packages

yum install krb5-workstation pam_krb5

Kerberos Client: Configure the Kerberos Client

Setup the krb5.conf file

  • Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
  • OR copy the /etc/krb5.conf file from the KDC server to the client

Create the user

useradd user1

Open the Kerberos admin tool on the client system


Add a new principal host for the client to the keberos database

addprinc -randkey host/

Create the local keytab file for the client

ktadd host/

Exit the admin tool


Kerberos Client: Configure the Client OS Components

Uncomment the required GSSAPI lines

vim /etc/ssh/sshd_config
GSSAPIAuthentication yes

Reload the SSHD config

systemctl reload sshd

Configure PAM authentication to enable krb5

authconfig --enablekrb5 --update

Kerberos Client: Test The Client

Change to the user

su - user1

Initialize kerberos


SSH to to the KDC server

  • Should not be prompted for a password due to initializing a kerberos ticket

  • linux_wiki/setup_a_kdc_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)